Solved: thanks Aditya,

marcio.tormente · ‎03-15-2016

Hello folks!

I have a link to internet and I need to create a NAT from a specific IP to my public address using some ports.

Inside interface: 192.168.13.1

host: 192.168.15.1

Outside: 200.x.x.x

Ports: many

I need to map the host to public address using many different ports (I created a service obj).

Anyone know how can I do it?

Aditya Ganjoo · ‎03-15-2016

Hi Marcio,

In your case the nat would be like:

nat (inside,outside) source static obj-192.168.13.1 obj-200.x.x.x ports ports-xlate

And yes you need to translate the ports even though we will use the same port in both direction.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

Dinesh Moudgil · ‎03-15-2016

Hi Marcio,

According to your ASA os code you can configure the natting,
Here is the link for your reference:-
https://supportforums.cisco.com/document/33921/asa-pre-83-83-nat-configuration-examples

Regards,
Dinesh Moudgil

P.S. Please rate helpful posts.

Cisco Network Security Channel - https://www.youtube.com/c/CiscoNetSec/

marcio.tormente · ‎03-15-2016

Dinesh,

Thanks for your support, this link is good, but in the same time confuse, because in my case I believe that I have to use Dynamic Policy NAT , is the unique exemplo that show hot to map ports.

I couldn´t understand why should I map private IP to other priviate IP and than specifi the destination?

Aditya Ganjoo · ‎03-15-2016

Hi Marcio,

You cannot use dynamic Policy NAT as it is uni-directional so we need to use Static PAT.

The following example configures static NAT-with-port-translation for 192.168.13.1 at TCP port 21 to the outside ip 200.x.x.x at port 2121.

Create an object network first.

object network obj-200.x.x.x

host 200.x.x.x

ciscoasa(config)# object network my-ftp-server
ciscoasa(config-network-object)# host 192.168.13.1
ciscoasa(config-network-object)# nat (inside,outside) static obj-200.x.x.x service tcp 21 2121

Similarly,you can create same NAT for different ports using the same PUBLIC IP.

Here is a link:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/firewall/asa_91_firewall_config/nat_objects.html#pgfId-1106703

Regards,

Aditya

Please rate helpful posts.

marcio.tormente · ‎03-15-2016

thanks Aditya,

This exemplo is very good, but as I can see, I can map the ports one by one and I have differents port´s range with more than 1000 port each, for this reason I was trying to use Service Group.

In this case, is this exemplo the better solution?

Aditya Ganjoo · ‎03-15-2016

Hi Marius,

Here is an example:

Original Ports: 10000 - 10010
Translated ports: 20000 - 20010

object service ports
service tcp source range 10000 10010

object service ports-xlate
service tcp source range 20000 20010

object network server
host 10.1.1.1
object network server-xlate
host 10.2.2.2

nat (inside,outside) source static server server-xlate service ports ports-xlate

Find the document below for more information and let me know how you would like to proceed :

https://supportforums.cisco.com/docs/DOC-9129

Regards,

Aditya

Please rate helpful posts and mark the correct answers.

marcio.tormente · ‎03-15-2016

This link is the same that Dinesh sent to me and my dought about it are:

In your exemplo obj server is my internal IP and obj server-xlate is the public IP, right?

About the ports, Is necessary to translate? Because the aplication will use the same port in both direction

Aditya Ganjoo · ‎03-15-2016

Hi Marcio,

In your case the nat would be like:

nat (inside,outside) source static obj-192.168.13.1 obj-200.x.x.x ports ports-xlate

And yes you need to translate the ports even though we will use the same port in both direction.

Hope it answers your query.

Regards,

Aditya

Please rate helpful posts.

marcio.tormente · ‎03-15-2016

Thanks Aditya.

All the information help me a lot.

Thanks

Aditya Ganjoo · ‎03-15-2016

Hi Mario,

Glad to help you :)

Regards,

Aditya

NAT on 5506